U.S. Charges Two Iranians Over SamSam Ransomware Attacks

The U.S. Department of Justice on Wednesday announced that two Iranian men have been charged over their alleged role in creating the notorious SamSam ransomware and using it to extort hundreds of organizations.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, face six hacking and extortion-related charges, including conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

According to authorities, Savandi and Mansouri developed the SamSam ransomware in December 2015 and they have been improving it ever since. The alleged cybercriminals targeted over 200 organizations, including public institutions, municipalities, and hospitals, and their attacks are said to have caused over $30 million in losses.

One of SamSam’s high-profile victims was the City of Atlanta, which estimates that it will spend well over $10 million to deal with the effects of the attack. The recent attack on the port of San Diego has also been attributed to SamSam and the two Iranian nationals. The list of victims also includes the City of Newark, the Colorado Department of Transportation, the University of Calgary in Canada, and several important healthcare-related entities.

The hackers researched their potential targets and conducted reconnaissance in order to find the right victims. However, their efforts appear to have paid off as investigators believe the two made at least $6 million in ransom payments. Researchers estimated in January 2018 that the SamSam operators had made over $325,000 in just a 4-week period.

SamSam, also tracked as Samas and SamsamCrypt, is designed to encrypt files found on infected computers. The threat actors behind the ransomware demand the payment of a certain amount of money – the ransom is often tens of thousands of dollars in Bitcoin – in exchange for the decryption keys needed to recover the files. Authorities say Savandi and Mansouri used Iranian Bitcoin exchanges to exchange the cryptocurrency into Iranian rial.

The hackers leveraged the Tor anonymity network, they attempted to hide their malicious activities by disguising them as legitimate network traffic, and they launched the attacks outside regular business hours to make mitigation more difficult. They also encrypted data backups in an effort to prevent victims from recovering their files without paying the ransom.

Savandi and Mansouri have been added to the FBI’s Cyber Most Wanted list, but no reward is being offered for information leading to their capture.

It’s unclear if the US believes the two are working on behalf of the Iranian government, but it would not be surprising. The North Korean government, for example, is said to have launched many cybercrime-like operations, including ransomware attacks, for profit.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.